Memorandum 



U.S. Department of 
Transportation 


Office of the Secretary 
of Transportation 


Office of Inspector General 


Subject: 


From: 


To: 


COMPLAINT CLOSING October 12,2011 

VOLPE Intrusion - Cl 1N007CCU 


{b)(6), (b){7)c 

Computer Crimes Unit, JI-2 
File 

On August 23, 2011, (b)(6), (b)(7)c Cyber Seeurity Management Center 

(CSMC) advised the Computer Crimes Unit (CCU) of a reeent compromise 

(b)(5), (b)(7)e AeCOrding t w(5), (b)(6), (b )(7)c, (b)(7)e 

(b)(5), (b)(7)e CCU 

opened a eomplaint relating to this ineident to determine if this aetivity was a 
result of intentional malieious aetivity eondueted by a DOT employee or 
contraetor or a targeted attack against certain individuals within VOLPE. 


Reply to 

Attn of: jj_2 


Based on a CSMC forensic report provided to CCU by (b)(6), (b)(7)c on September 
9, 2011, the Initial Intrusion Veetor (IIV) for this incident was a spear phishing 
email reeeived by (b)(6), (b)(7)c VOEPE on AugMt), (bj2(M 1. (b)(6), (b)(7)c 

DOT system was infected with malware after elieking on a link eontained within 
the spear phishing email. _ (b)(5), (b)(7)e _ 

(b)(5), (b)(6), (b)(7)c, (b)(7)e 

to CSMC, the spear phishing email and subsequent malieious aetivity was 
performed by overseas aetors who used a known intrusion set to colleet password 
hashes and perform off-line password craeking. 


CSMC’s report also identified vulnerabilities that made this eompromise possible, 
ineluding (but not limited to) the following: 


* On Windows Server Systems, a domain controller (DC) is a server that responds to security authentication requests 
(logging in, checking permissions, etc.) within the Windows Server domain. 




(b)(5), (b)(7)e 


Based upon a review of CSMC’s forensie report and subsequent eonversation with 


(b)(5), (b)(6), (b)(7)c, (b)(7)e 


-#- 




Memorandum 



U.S. Department of 
Transportation 

Office of the Secretary 
of Transportation 

Office of Inspector General 


Subject: 


From: 


To: 



Special Agent-in-Charge, JI-2 


October 3, 2012 


Reply to 


Attn of: 


JI-2 


On (b)(2)§12, this complaint was generated by an OIG project in order to 
determine if the unauthorized accesses of Department of Transportation (DOT) 
Information Technology (IT) resources were due to DOT employee misuse of 
computers, malicious insider activity, or poor cyber security practices. The DOT 
Office of Inspector General (OIG) conducted an in-depth review of DOT 
employee web activity in order to identify accesses to both high risk top level 
domains (i.e. foreign domains and websites) as well as websites identified as 
"most suspicious" by the SANS Internet Storm Center Website. The employee’s 
web activity was matched with DOT's Cyber Security Management Center 
(CSMC) alerts data. {b)(6), {b){7)c was identified as having potentially suspicious 
internet activity. In addition, there had been an unusually high number of CSMC 
alerts on computers (b^^ork area. 

OIG analysis of internet logs determined that (b)(5), (b)(6), (b)(7)c, (b)(7)e 


(b)(5), (b)(6), (b)(7)c, (b)(7)e 




{b)(5), (b)(6), (b)(7)c, (b)(7)e 


OIG's forensics analysis af){6), (b)(7l90T issued laptop did not identify any malicious 
activity. The analysis was able to confirm that (b)(5), (b)(6), (b)(7)c, (b)(7)e 


(b)(5), (b)(6), (b)(7)c, (b)(7)e 


(b)(5) 

Since OIG's preliminary inquiry and forensic analysis ofb)(6), (b)(7)p)OT issued 
computer did not identify any malicious activity, no further OIG investigative 
activity is anticipated. It is recommended that this complaint be closed. 




Memorandum 



U.S. Department of 
Transportation 

Office of the Secretary 
of Transportation 

Office of Inspector General 


Subject: ACTION: OIG Investigation of 

Date: 

October 17, 2011 

(b)(6), (b)(7)c (CIIN006CCU) 



From: William Swallow 

Reply to 


Supervisory Special Agent 

Attn of: 

JI-2 


Computer Crimes Unit, JI-2 (b)(6), (b)(7)c 

Cheryl Ledbetter 

Information Systems Security Officer (ISSO) 

Federal Highway Administration (FHWA) 

The memorandum summarizes the results of an Office of Inspector General (OIG) 
investigation involving (b)(6), (b)(7)c a GENEX systems (b)(6), (b)(7)c 

FHWA (b)(6), (b)(7)c and is being forwarded for your review and appropriate administrative 
action. 

On August I, 2011, the Cyber Security Management Center (CSMC) referred to the OIG 
Computer Crimes Unit (CCU) an incident (FYI1-2925) that involved an unknown host 
and suspicious network traffic. The host was identified as a non-COE (Common 
Operating Environment) machine, but the IP addresses resolved back to FHWA. The 


(b)(5), (b)(7)e 


(b)(5), (b)(6), (b)(7)c, (b)(7)e 


On Septemb^^B), (b)(2)0 11 , (b)(5), (b)(6), (b)(7)c, (b)(7)e 

(b)(5), (b)(6), (b)(7)c, (b)(7)e 

* A Media Access Control (MAC) address is a unique identifier assigned to network interfaces for communications on the physical 
network segment. 




{b){5), {b){6), (b){7)c, (b)(7)e 


{b)5), {b)(6), (b)(7)c, (b)(7)e 

This information is being referred baek to FHWA for any administrative aetions deemed 
appropriate. Please advise this office within 90 days of any action taken as a result of this 
memorandum. 


If you have any questions, or if we can be of further assistance, please do not hesitate to 


contact 

(b)(6), (b){7)c 

(b)(6), 1 

[b)(7)c 



at 


(b)(6), (b)(7)c 


## 




Memorandum 



U.S. Department of 
Transportation 

Office of the Secretary 
of Transportation 

Office of Inspector General 


INFORMATION : March 28,2011 

C11N004CCU: DOT SERVERS 
(DOTHQNWMS005, OSTHQNWAS006) 


From: 

(b)(6), (b)(7)c 

Computer Crimes Unit, JI-2 


Reply to 
Attn of: 


JI-2 

(b)(6), (b)(7)c 


File 


On DeeemhfeP), (b)(2i@10, (b)(6), (b)(7)c US-CERT, contaeted 

the DOT Cyber Security Management Center (CSMC) as well as the OIG's 
Computer Crimes Unit (CCU) about a computer security incident. (b)(6), {b)(7)c 
advised that US-CERT reeeived information that two Internet Protoeol (IP) 

(b)(5), (b)(7)e 

(b)(5), (b)(7)e Any further information on this ineident was elassified. 


On DeeembeiF)(6), {b)(72€10, CCU spoke with 

(b)(6), (b){7)c 

CSMC and 

(b)(5), (b)(7)c 




(b)(5), (b)(6), (b)(7)c, (b)(7)e 


(b)(5), (b)(6), (b)(7)c, (b){7)e 




(b)(5), (b)(6), (b)(7)c, (b){7)e 


(b)(5), (b)(6), (b)(7)c 

-Original Message- 

From; (b)(6), (b)(7)c 

Sent: Thursday, Deeember 23, 2010 9:52 AM 

To: Omdorff, Andrew (OST); (b)(6), (b)(7)c 

(b)(6), (b)(7)c 

Ce: (b)(6), (b)(7)c 

Subjeet: Re: Update 

I want to reiterat^b)(6), (b)(7)(word and want to personally thank all of your for your 
help. I look forward to working together more in the future. 

In the mean time we will work with you to mitigate this eurrent aetivity. 


Sent using BlaekBerry 

On Januamys), (b)(^10, ORNDORFF advised that he spoke to (b)(6), (b)(7)c and 
received an unclassified update as to the status of the compromised servers: 
STATUS: 


(b)(5), (b)(6), (b){7)c, {b)(7)e 







4) US-CERT will provide USDOT a copy of the preliminary analysis report 
by COB 1/6/2011. 


(b)(5), (b)(6), (b)(7)c 


6) US-CERT has authorized USDOT to remediate the servers identified in 
the original incident/data request and to return them to 
full, production service. 

ecu is closing this complaint due to the fact that US-CERT has obtained the data 


they requested, 

(b)(5), (b)(6), (b)(7)c 

(b)(5), (b)(6), (b)(7)c 

ecu support is no longer required. 


-#- 




Memorandum 



U.S. Department of 
Transportation 

Office of the Secretary 
of Transportation 

Office of Inspector General 


Subject: INFORMATION; Forensic Analvsis of OIG 

Laptop (CIINOOICCU) 

November 15, 
2010 

(b)(6), (b)(7)c 

Reply to 

Computer Crimes Coordinator, JI-2 

Attn of: jj _2 


(b)(6), (b)(7)c 

(b)(6), (b)(7)c 

Acting, Chief Information Officer, JM-40 

Attached for your information is a Forensic Media Analysis (FMA) report that 
summarizes the results of a Computer Crimes Unit (CCU) forensic examination of the 
reported compromise of an Office of Inspector General (OIG) issued laptop computer. 

On September 1, 2010, the Cyber Security Management Center (CSMC) provided OIG 
with a computer security incident report showing that (b)(5), (b)(7)e 


(b)(5), (b)(7)e 


Based upon the forensic analysis, it is believed that the 

(b)(5), (b)(7)e 

(b)(5), (b)(7)e 



We are forwarding our FMA for informational purposes only. We are closing our file on 
this matter. If you have any questions, or if we can be of further assistance, please do not 





hesitate to contaet 

{b)(6), {b)(7)c 

(work) 

or (b)(6), (b)(7)c 



(1) Attachment 

## 





